How To: Use SecGen to Generate a Random Vulnerable Machine

Use SecGen to Generate a Random Vulnerable Machine

Recently, I ran across SecGen, a project which allows a user to create random vulnerable machines. I absolutely love vulnerable machines, since a vulnerable VM is a safe and legal way to practice hacking tactics, test out new tools, and exercise your puzzle-solving skills.

What really got me interested in SecGen was the randomization feature. Most vulnerable machine downloads are static, meaning each version will always have the same vulnerabilities. Not very realistic. SecGen is different because it can generate unique vulnerable machines.

Instead of digging through VulnHub, or going through the Metasploitable checklist, you can have a vulnerable machine ready to go in minutes, with a different set of challenges each time. SecGen also allows for a good bit of user customization, which would make it useful in generating CTFs, or specifying a challenge for yourself.

In this article, I will cover the installation of SecGen on Kali Linux and the generation of a vulnerable machine. If you need a good starter Kali computer for hacking, you can check out our guide linked below on setting one up on the low-cost Raspberry Pi.

Step 1: Installing SecGen

As always, we'll need to update before beginning to ensure everything works properly. You can do this by running apt-get update. After updating, the first thing to do is clone a copy of this project from the git repository. To do so, type the following into terminal.

git clone https://github.com/SecGen/SecGen

Once we have our source where we want it, it's time to make sure we have all the dependencies required. To do so, execute the following command in terminal.

sudo apt install ruby-dev zlib1g-dev liblzma-dev build-essential patch virtualbox ruby-bundler vagrant imagemagick libmagickwand-dev

Once all of the dependencies have completed installation, navigate to your SecGen directory with cd SecGen and run the command:

bundle install

I didn't prepend sudo to this command because it's better practice to run bundle as a non-privileged user. It will prompt for your password, when necessary. Running bundle as root can cause issues and conflicts on your system.

If you get a message like the one above, simply check your Ruby version number by typing the following.

ruby --version

Depending on your Ruby version complete the steps required. In my case, none.

Step 2: Setting Up Your First VM

Generating a random vulnerable VM is supposed to be as easy as typing the following into terminal.

ruby secgen.rb run

Unfortunately, at the time of writing, there is an issue with the version of Vagrant from the Kali repository. I also had some issues with Ruby gems. If your machine refuses to come up and has fatal errors, I recommend downgrading your version of Vagrant. In order to do this, you can execute the following command in terminal.

apt purge vagrant

Then, download the Debian package from the Vagrant site.
We'll use dpkg to install the vagrant.deb file by typing the following.

dpkg -i vagrant1.9.7x86_64.deb

Now, go back to your SecGen folder and try the following command.

ruby secgen.rb run

If this works without errors, you don't need to clean up your Ruby gems. If you encounter errors, you may have some gem issues to fix. You can fix these issues with the command below.

sudo gem cleanup

I had to do both of the above steps in order to get SecGen running on my system. You may not need to do any. I hope that this issue will be resolved fairly quickly in the future. Once I had completed both steps, I was able to start building my vulnerable machine with the following command.

ruby secgen.rb run

The build process takes some time, but it's not too bad. Considering the time it takes to put together a vulnerable machine as an individual, this wait is painless.

Looks good. We now have a randomized vulnerable machine. Below, we can see some of the details of our machine.

Networking Your Vulnerable Guest OS

As it stands, VirtualBox defaults the machine networking mode to NAT. This isn't going to work for our purposes because while a NAT connected guest will be able to access the internet, it will not be accessible by our host operating system.

Image via VirtualBox Manual

We're going to want to change from NAT to a method that allows us to talk to the VM. Depending on what we want to do, our options are host-only or bridged. Bridged would expose our vulnerable machine to our internal network. This can be a bad thing, so I selected host-only. In VirtualBox, with the machine selected, select "Settings," then select "Network" and change from "NAT" to "Host-only Adapter."

This is a safe option for a vulnerable machine. Lastly, we need to find the machine on the network. Usually, you would just log in and check the address, but since this is a boot-to-root, we need to figure out where it is. To do so, we will execute the following command.

sudo ifconfig

If you have an issue with ifconfig, you can run apt-get install net-tools.

Ifconfig gives us the status of our vboxnet0 adapter, and tells us where to look for our vulnerable machine, in this case the 172.28.128.0/24 address space. Next, let's execute the following command.

nmap 172.28.128.0/24 -sn

Nmap should return two results, your host machine, and your guest machine. From here, you should be able to launch your attack on the machine.

Digging a Little Deeper

If you find yourself stuck on a machine, you can have a look at the scenario that was generated for the machine. From within the SecGen repository folder, issue the following command.

cd projects

This directory contains previously generated machines. I only have one machine, so I change directories into that machines directory. Within that directory, there is a scenario.XML file. You can view it with the following command.

cat scenario.xml | less

Or, you can alternatively with your favorite text editor, like Vim, by typing the following.

vim scenario.xml

I prefer Vim because it offers syntax highlighting.

If you're looking for hints, you can also type the following into terminal.

cat marker.xml | less

This will give you hints to help you figure out your randomly generated machine.

Step 3: Generating Other Scenarios

Writing your own scenarios is out of the scope of this article, but is well-documented at the SecGen GitHub page. Beyond just generating a random VM with the default scenario, some other scenarios can be passed. An example is below.

ruby secgen.rb --scenario scenarios/examples/remotely_exploitable_user_vulnerability.xml run

This will create a VM that has a random remotely exploitable vulnerability. which results in a low privilege compromise.

ruby secgen.rb --scenario scenarios/security_audit/team_project_scenario.xml run

This creates a vulnerable set of machines, simulating a mini enterprise structure. SecGen creates an intranet server, a desktop machine, and a web server. These systems can then be configured in such a way as to simulate a breach into an internal network. This is excellent for practicing network pivots.

You can find more examples in your ./SecGen/scenarios/examples directory.

Stick Around for More on Vulnerable VMs

SecGen is an excellent tool to generate vulnerable VMs. The speed and variety make it perfect for students. I'm hoping that as the tool matures, a community will grow around creating scenarios and distributing them. The educational value is definitely there, and my hope is that the project continues on strong!

Stay tuned for my following article, in which I will attack my newly generated random VM.

Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:

Cover photo and screenshots by Barrow/Null Byte

19 Comments

Great tutorial .
I tried it today but got stuck at login command-line of Debian /Linux vm.

I scanned it but all ports all filtered , maybe this is happening because the vm didnt start correctly yet or i dont know the user/password for it lol.

What should i do ?

Need to hack it to get a login. If you're totally stuck consult the hints it generates.

Nevermind , i got another VM and I followed your Attack a Vulnerable Practice Computer: A Guide from Scan to Shell post .

My VM has 2 open ports FTP and IRC , the FTP (VSFTPD 2.0.8)isnt vulnerable so I exploited the IRC server just as you did , now im stuck on getting root.

If you could make an article on Enumerating the system(what it means , how its done , for what do we need it ..) I would be grateful !

I read the marker.xml file and it said there is something vulnerable in terms of its webapp...

So, I scanned the system with nmap (nmap -sV -sC -A 172.28.128.3 ) and found this:

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01.10 18:41 CET

Nmap scan report for vulnerable (172.28.128.3)
Host is up (0.00066s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0 (protocol 2.0)
| ssh-hostkey:
| 1024 77:d4:4c:b2:17:6d:78:9c:1e:48:b0:3d:90:a5:c1:e7 (DSA)
| 2048 70:8f:7f:ea:0a:31:67:5e:31:fb:1d:f5:8d:27:22:dc (RSA)
|_ 256 7d:40:a9:af:d8:6b:4b:8f:44:7f:15:03:c3:60:15:7c (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Unix) DAV/2 PHP/5.4.3)
|_http-server-header: Apache/2.2.22 (Unix) DAV/2 PHP/5.4.3
|_http-title: GitList

Gitlist is in the version 0.4.0 vulnerable (fixed in 0.5.0).

So fire up Metasploit!

Hello,

I'm having some issues because no VM is made and automatically imported which is what is supposed to happen i'm assuming by looking at your tutorial.. instead I get this message;

==> storage_server: Notice: /Stagemain/Vsftpd/Servicevsftpd: Triggered 'refresh' from 3 events
==> storage_server: Notice: Applied catalog in 11.09 seconds
VMs created.

There is a folder in the projects folder but I have no idea how to build it into a readable VM file for use with oracle/qemu.

Can someone help please?

Many thanks!

try cd into the folder and vagrant up.

Thanks for the response, really appreciate the tutorial and the help, can't wait to use this to practice.

I figured out my issue was I needed to chmod 777 -R the SecGen folder, after that everything installed and is up and running.

Glad you figured it out. Happy hacking!

Hi Guys!

I'm in a spot of trouble after executing the command: sudo apt install ruby-dev zlib1g-dev liblzma-dev build-essential patch virtualbox ruby-bundler vagrant imagemagick libmagickwand-dev

I get the following result:

Reading package lists... Done
Building dependency tree
Reading state information... Done
Package virtualbox is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'virtualbox' has no installation candidate

Can somebody please put me on the right track? Thanks!

Did you apt update?

In Kali Linux I did apt update, then apt show virtualbox
Package: virtualbox
Version: 5.1.26-dfsg-2
Priority: optional
Section: contrib/misc
Maintainer: Debian Virtualbox Team <pkg-virtualbox-devel@lists.alioth.debian.org>
Installed-Size: 73.8 MB

Appears to be working.

*Hi Barrow,
thanks for your help. I updated Kali as you said but the result is rather the same. What do you reckon?*

root@kali:~# apt update
Get:1 http://kali-za.bitcrack.net/kali kali-rolling InRelease 30.5 kB
Get:2 http://kali-za.bitcrack.net/kali kali-rolling/contrib Sources 65.1 kB
Get:3 http://kali-za.bitcrack.net/kali kali-rolling/main Sources 11.4 MB
Get:4 http://kali-za.bitcrack.net/kali kali-rolling/main armhf Packages 15.0 MB
Get:5 http://kali-za.bitcrack.net/kali kali-rolling/contrib armhf Packages 88.7 kB
Fetched 26.6 MB in 19s (1355 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
7 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@kali:~# apt show virtualbox
Package: virtualbox
State: not a real package (virtual)
N: Can't select candidate version from package virtualbox as it has no candidate
N: Can't select versions from package 'virtualbox' as it is purely virtual
N: No packages found
root@kali:~#

*I also did:
apt-get update
apt-get upgrade
apt-get dist-upgrade*

root@kali:~# apt list --upgradable
Listing... Done
root@kali:~#

That's really weird, VirtualBox isn't listed as a virtual package in Debian. You could try using dpkg to install the virtualbox.deb, but it sounds like something is off with your apt configuration. Or you could build from source.

I realised I tried to install on a Raspberry. I guess this is where the problem lies. Would it run on a Raspberry Pi3 you think?

I am not sure, virtualization in a Pi maybe limited.

Hello everyone!

I just stepped over SecGen and I wanted to try it out on my Linux GNU.

I installed SecGen and VirualBox. But when I run the command : ruby secgen.rb run it runs all fine. Until it shows: "Bringing machine 'storage_server' up with 'virtualbox' provider..."

Sounds good? No, Iet it load like 3 hours and more... can anyone help me?

Thanks:D

Looks like an great practicing thing to do!

but, i got a problem i couldn't fix my self, i tried a few things, but those didn't realy work out how i wanted to ( iow, it didn't work )

Here's a screenshot

what i've tried:
apt-get remove virtualbox-dkms pakage
apt-get install virtualbox-dkms pakage

*
apt purge vagrant
dkpg -i vagrant_2.0.0_84_64.deb
But, those didn't work as i said before.
Thanks for helping!
~Joe

Did you try apt-get install linux-headers-$(uname -r)?

No, i haven't tried yet.
I'll try today, hopefully that'll work!
Thanks for helping.
~Joe

Share Your Thoughts

  • Hot
  • Latest